...that seems new. I see it's an RBL that "contains domains registered
within the last five days".

Can someone explain what that means? I guess it means "seen by DOB
within the last five days" more than a domain that was registered within
the last five days?

I say that because email from my home domain (registered 4 years ago) is
currently on the list...

Anyway, emails that are on the list seem to trigger 3 different rules -
which adds up to +2 points - is that expected behaviour?

Thanks

Jason


e.g. (actual spam to the Samba mailing-list)

0.0 STOX_REPLY_TYPE STOX_REPLY_TYPE
-4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/,
medium
trust
[66.70.73.150 listed in list.dnswl.org]
0.3 DNS_FROM_DOB RBL: Sender from new domain (Day Old Bread)
0.8 RCVD_IN_DOB RBL: Received via relay in new domain (Day
Old Bread)
2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see
]
1.1 RCVD_IN_SORBS_WEB RBL: SORBS: sender is a abuseable web server
[88.232.135.123 listed in dnsbl.sorbs.net]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
1.5 RAZOR2_CF_RANGE_E8_51_100 Razor2 gives engine 8 confidence level
above 50%
[cf: 100]
0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
[cf: 100]
0.9 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
[URIs: samba.org]


--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1